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Abstract 


This report presents the results of Failure Modes 
and Effects Analysis (FMEA) conducted for the Wind Tur- 
bine Generators. The FMEA was performed for the func- 
tional modes of each system, subsystem, or component. 
The single-point failures were eliminated for most of 
the systems. The blade system was the only exception. 
The qualitative probability of a blade separating was 
estimated at Level D-remote. 

Many changes were made to the hardware as a result 
of this analysis. The most significant change was the 
addition of the safety system. Operational experience 
and need to improve machine availability have resulted 
in subsequent changes to the various systems which are 
also reflected in this FMEA. 

Introduction 


The NASA Lewis Research Center conducted research 
and development of large horizontal axis wind Turbine 
Generators for the Department of Energy as one phase of 
the overall Wind Energy Program. Wind turbines ranging 
in size from 100 to 3200 kW were designed and built as 
part of this program. The object of the program was to 
develop wind turbines which would generate electricity 
at a cost which is competitive with alternative gener- 
ating methods, particularly oil. 

This paper describes some of the changes that 
resulted from using the Failure Modes and Effects Anal- 
ysis (FMEA) as a systems safety and reliability analy- 
sis tool for the 200 kW, MOD OA Wind Turbine Generators 
(WTG). Reference 1 further describes the logic for 
this approach. This analysis was originally done by 
the Reliability and Quality Assurance Office at NASA 
Lewis Research Center. Later, the government con- 
tracted with W.L. Tanksley and Associates to revise and 
update their analysis. 

The complete FMEA resulted in several modifica- 
tions to the original MOD 0A WTG design. These included 
changes to the microprocessor (hardware and software), 
the safety system, the yaw system, the drive train, the 
supervisory system and the electrical system. The 
analysis was limited to a level of detail that would 
assure safe, reliable, machine operation. The MOD DA 
portion of the program has now been completed and the 
machines have been removed. 

Machine Description 

A photograph of one M0D-0A machine, located on 
Culebra Island, Puerto Rico, is shown as Fig. 1. 

Nearly identical machines were located In Clayton, New 
Mexico, Block Island, Rhode Island, and Oahu, Hawaii. 

The blades measured 125 ft, t i p- to- tip. The hub center 
was 100 ft above ground level. The blades rotated at 
40 rpm. The blades were mounted on the rotor hub, as 
shown in the cutaway drawing included as Fig. 2. The 
pitch actuator pitched the blades through a set of bevel 
gears located inside the hub. The hub was attached to 
a low-speed shaft which was connected to a speed 
increaser gearbox. A fluid coupling, attached to the 
1800 rpm output shaft of the gearbox helped dampen out 
power oscillations. A high-speed shaft then transmit- 
ted power to V-belts which drove a synchronous alterna- 
tor. The machine was housed in an 8-ft diameter nacelle, 



FIGURE 1. - W0D 0A WIND TURBINE AT CULEBRA ISLAND, PUERTO RICO. 


M0D-0A 200 kW WIND TURBINE 
SCHEMATIC OF NACELLF INTERIOR 



FIGURE 2. - CUTAWAY DRAWING OF TOWER MOUNTED EQUIPMENT. 
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nacelle, mounted on a turntable bearing located on top 
of a truss tower. A dual yaw drive system kept the 
machine aligned with the wind. 

The wind turbine was controlled by a microproces- 
sor, two closed loop servo systems, and a safety sys- 
tem! It continually monitored machine status and wind 
conditions. When the wind speed reached 12 mph, the 
microprocessor signaled the pitch controller to start 
pitching the blades, gradually increasing rotor speed. 
When the alternator reached synchronous speed, the 
alternator was synchronized with the utility grid. 

After synchronization, the blades remained in the full 
power position, generating increasing power as the 
winds increased until the full output of 200 kW was 
reached at a wind speed of 24 mph. As winds increased 
further, the blades gradually feathered, spilling some 
of the wind, to maintain the 200 kW output. 

If the wind speed dropped below 10 mph, the 
machine was shut down. If the wind speed increased 
above 40 mph, the machine was shut down to avoid high- 
blade loads. When the wind speed dropped back to 
35 mph, the machine was restarted. The microprocessor 
also monitored several noncritical variables to shut 
the machine down if necessary. 

The first closed loop servo system regulated the 
pitch of the blades. Blade pitch regulated machine 
speed from initial blade rotation until synchronization 
with the utility grid and regulated the power generated 
after synchronization. The second closed loop servo 
measured the difference between the actual wind direc- 
tion and the nacelle direction to keep the machine 
aligned with the wind. The machine operated with the 
blades downwind and was kept aligned within 15° of the 
wind direction. 

The safety system, as the name Implies, measured 
several operating variables, shutting the machine down 
if any of these variables went out of limits. These 
variables included overspeed, overcurrent, pneumatic 
and hydraulic pressures, several overtemperatures, and 
high vibration. The Safety System shutdown signal 
directly shut the machine down, regardless of what the 
microprocessor or servo controllers were doing. 

The machines were modified as operating experience 
was accumulated. The most prominent modifications 
were : 

1. Different blade materials 

2. Different rotational speeds 

3. Control system upgrades with two servo loops 

4. I ncorporat i ng several safety functions in the 
microprocessor loop. 

The FMEA was used to study these changes and 
upgraded to include the final design. 

Combined FMEA Procedure 

Numerous reliability, Quality assurance and system 
safety techniques were considered. A FMEA, preliminary 
hazards analysis, and operations hazard analysis are 
very similar and many of the form entries are the same. 
The modified FMEA was chosen to be the main tool for 
listing and analyzing each component for the various 
possible failure modes. On some previous projects, one 
person or team has simultaneously reviewed the hardware 
for a system safety and a reliability analysis, see 
Ref. 2. The results have been listed on a sample FMEA 
form, see Fig. 3. Each system was studied for oossible 
failure modes, causes, and effects on the machine reli- 
ability as well as on personnel safety. The necessary 
corrective action was then determined independently. 
This combined FMEA technique works quite well and saves 
a significant number of manhours. 

There is one drawback to this technique. It is 
easy to list failures that are not safety problems, but 
it is also easy to overlook safety problems which are 
not caused by equipment failures. Some examples of 
safety problems which could have been overlooked are 
the three 1 i sted below: 


1. Personnel getting caught in rotating 
machinery . 

2. Electrical shock hazards due to exposed 
terminal s . 

3. Operating errors . 

These safety-related items can also be handled 
using the combined FMEA method. The reviewer has to 
make a conscious effort to consider each of the hazards 
as a possible failure mode. Hazards would be catego- 
rized as fol lows : 

1. Lack of proper safeguards in the design. 

2. Lack of operator training to follow 
procedures . 

3. Lack of human engineering causing operator 
error . 

This FMEA was primarily directed at identifying 
those critical failure modes that could be hazardous to 
life or could result in major damage to the system. 

The analysis was organized by systems to nelp limit the 
number of similar entries for similar events that could 
occur. The system was analyzed so that no major damage 
should occur because of a single-point failure or a 
single failure following an undetected failure. The 
analysis was qualitative in nature and was used to 
determine the cause and effect for each failure mode 
and what could be done to correct the problem. 

The FMEA was determined for the functional modes 
of each system, subsystem, or component. The electri- 
cal and electronic portions of the FMEA were limited to 
the package level, showing only constant high level 
output or zero output. Wiring harnesses, cables, and 
electrical connectors were considered to be part of the 
output or input and were not considered separately. 

The level of detail in the mechanical portion of 
the FMEA varies. For catalog, off-the-shelf components, 
only expected types of failures were considered. A 
emote-operated valve was considered to be in the failed 
open or failed closed position only. Pressure contain- 
ment and distribution systems were considered as having 
failed when the system pressure had dropped below the 
minimum safe operating level. A hand valve was consid- 
ered part of the containment system and could fail if 
the improper position would not be detected. The more 
likely failures, particularly those having severe con- 
sequences, were considered for possible redesign or the 
addition of redundant components. 

Many changes were made to the hardware as a result 
of this analysis. The most significant change was the 
addition of the Safety System. Operational experience 
and the need to improve macnine availability resulted 
in additional changes to the various sysrems. 

Results 

While performing the FMEA, it soon became obvious 
that the worst possible failure would be significant 
overspeed, since this could result in throwing a blade. 
The consequences of all of the other failures were 
relatively minor oy comparison. Based cn this conclu- 
sion, disk brakes were added to the high-speed shaft 
very early in the design to stop the rotor, even if the 
blades remained in the full power position. The brakes 
were designed to activate if electrical power was lost. 
It would also have been desirable to have the brakes 
activate upon loss of brake actuation pressure, but only 
one machine was converted before the end of the pro- 
gram. The brakes were applied for two main conditions: 

1. Overspeed due to failures 

2. To hold the blades still for maintenance 

The analysis pointed out a number of items that 
were to be considered as primary safety devices. The 
reliability of these systems had to be maximized. Fac- 
tors to be considered in attaining maximum reliability 
were: Redundancy, minimum electrical path, quality of 

components and periodic verification of system opera- 
tion. These items Included the following: 
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SYSTEM: SAFETY SYSTEM - DWG. 1016FT1, SHEETS 1 & 5; 1016F12 


1 . 


ITEM 


ALARM CIRCUIT 
"A" 

(DWG. 1016F11. 
SHEETS 1 & 5; 
1016F12). 


1A. 


FAILURE 

MODE 


INADVERTENT 1. 
REMOVAL OF 
SIGNAL TO 
SSRI . 


CAUSE 


EFFECT 


ELECTRONIC 

FAILURE. 


NO START OR EMERGENCY SHUT- 1. 

DOWN. REMOVING SIGNAL FROM 
SOLID STATE RELAY 1 (SSRI) 
DE-ENERGIZES RELAY K1 WHICH 
DE-ENERGIZES RELAY K2. DE- 
ENERGIZING K2 OPENS C 8? , RE- 
MOVES THE GENERATOR F 1EI D, 

FEATHERS BLADES AND URNS 
OFF THE PITCH HYDRAULIC PUMP. 


CORRECTIVE 

ACTION 


REMARKS 


NONE REQUIRED- 
REPAIR AS 
NECESSARY 


IB. CIRCUITS FAIL i 
TO REMOVE 
SIGNALS WHEN 
SAFETY SEN- 
SORS SIGNAL 
PROBLEM. 


IB. LOSE PRIMARY SAFETY SYSTEM. 

THE FOLLOWING SENSORS ACT 
DIRECTLY AND REMAIN ACTIVE: 

VS l A - VIBRATION 

PSIA - FEATHER BOTTLE PRESSURE 

PS2A BRAKE BOTTlE PRESSURE 

0551 OVER SPEED SWITCH 

0552 OVERSPEED SWITCH 
HHP PITCH PUMP PRESSURE 


IB. PERIODIC 
CHECKOUT 
REQUIRED. 


2 . 


L 


EMERGENCY 2A. FAILS OPEN. 2. 
SHUTDOWN 

RESET PB 6. j 
( DWG . j 
101 BF 12) . 2B. FAILS CLOSED. 


swi tch 

ELECTRICAL 
OR MECHAN- 
ICAL FAIL- 
URE 


2A. 


2B. 


NO RESET IN THE EVENT OE AN 
EMERGENCY SHUTDOWN. 


NO EFFECT UNTIL EMERGENCY 2. 

SHUTDOWN OCCURS. LOGIC GATES 
LATCH UP AND WILL NO: RE SCT . , 

IF BOTH CONTACTS FAI1 CLOSED, 
SHUTDOWN WILL NOT LATCH EX- 
CEPT THROUGH MICROPROCESSOR. 


NONE REQUIRED- 
REPAIR AS 
NECESSARY. 


FIGURE 3. - SAMPLE PAGE FROM MOD OA WIND TURBINE FMEA. 


a . 45 rpm overspeed 

b. Low-speed shaft vibrations 

c. Emergency feather pressure 

d. Rotor brake pressure 

e. Yaw error signal 

f. Alternator overcurrent 

g. Alternator reverse current 

The next problem that surfaced resulted from the 
basic design of the machine. The Safety System was 
located in the control building at ground level. Most 
of the sensors were located in the machine nacelle on 
top of the tower. Since the machine must yaw to stay 
in alignment with the wind, the signals were routed 
through slip rings. The FMEA analysis revealed some 
potential failures in the slip rings (shorts or opens, 
depending on circuitry) that could override or bypass 
a Safety System shutdown signal. As a result, several 
redundant sensors were added in the nacelle that acted 
totally within the nacelle and did not rely on the slip 
rings for a shutdown signal path. In fact, they were 
designed to shut the machine down regardless of what 
signals the mi croprocessor was sending to the machine. 
These sensors included overspeed, low-speed shaft 
vibration switches, low-blade emergency feather pres- 
sure, and low-rotor brake pressure. 

Alignment of the machine with the wind was also 
important. The direction of the nacelle was compared 
to the wind direction to keep the machine aligned with 
the wind. The FMEA pointed out the need for a redun- 
dant yaw error signal, which was added. 

There was concern that an intruder would go up 
into the nacelle and get caught in the rotating machin- 
ery. The only access route up into the nacelle was by 
using an open elevator-type device. When the elevator 
was not being used, the power was turned off from 
inside the control room and interlocked with the safety 
system. 


Cone 1 us ions 

The performance of the FMEA for the 200 kW Wind 
Turbine Generator accomplished several objectives. As 
is usually the case with this type of tool, the act of 
performing a systematic, detailed review of the design 
was very useful. The FMEA indicated the need for a 
number of design changes: 

1. Disk brakes on high speed sha r : 

2. Primary safety devices 

a. Oversoeed 

b. Vibration 

c. Feather oressure 

d. Brake pressure 

e. Yaw error 

f. Alternator over/reverse current 

3. Redundant sensors 

4. Intruder alarm 

The final FMEA also gave project management per- 
sonnel a qualitative indication of the degree of pro- 
gram and safety risk that they were accepting with 
this design. 

Since this was an evolutionary R&D project, there 
were a large number of changes proposed for the machine. 
With the completed FMEA, it was easy to review the 
safety and reliability implications of each proposed 
change. By using this technique, it was shown that the 
Increased safety and reliability risk of some of the 
proposed changes did not justify the change. Most of 
the proposed changes did not increase the risk and in 
some cases, decreased the risk. Finally, the FMEA was 
revised to reflect all approved changes. 

In summary, the FMEA performed for this project 
served several very useful functions. The benefits 
far outweighed the cost of performing the FMEA. 
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